Close Menu

    Microsoft slams Google over security disclosure

    By
    Terry Myerson
    Terry Myerson

    Microsoft said a computer hacking group that has previously targeted government agencies has attacked its Windows software and Adobe Systems’ Flash program.

    The company will release a security patch for its operating system on 8 November, Windows chief Terry Myerson said on Tuesday in a blog post on Microsoft’s website. Users of Microsoft’s Edge browser on the latest update to Windows 10 are protected from the flaw, the company said.

    The security exploit, by a group Microsoft calls Strontium, was discovered by Google’s Threat Analysis Group and announced on Monday. The attacks, which sought to take control of a user’s computer, took advantage of so-called zero-day flaws, or security holes that are unknown to the product’s vendor and therefore no patch has yet been developed.

    “Strontium is an activity group that usually targets government agencies, diplomatic institutions and military organisations, as well as affiliated private sector organisations such as defence contractors and public policy research institutes,” according to the Microsoft blog. “Microsoft has attributed more zero-day exploits to Strontium than any other tracked group in 2016.”

    Google’s decision to disclose these vulnerabilities before patches are broadly available … puts customers at increased risk

    The group is also known as Fancy Bear and APT 28 and has been previously linked to the Russian government and US political hacks, Reuters reported.

    In a blog post on Monday, Google said it reported the issue to Adobe and Microsoft on 21 October, and Adobe updated Flash five days later. The Internet search giant said its policy is to disclose actively exploited security vulnerabilities after seven days.

    Still, Microsoft expressed displeasure with Google for announcing the vulnerability before a patch for Windows was available.

    “Responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” Myerson wrote in the blog. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”  — (c) 2016 Bloomberg LP



    Share.

    Related Posts